Microsoft on July 14, 2026 detailed CVE-2026-55948, a use-after-free vulnerability in Microsoft Office Excel that carries a CVSS 3.1 score of 7.8. An attacker who crafts a malicious workbook can achieve remote code execution after a victim opens the file. The flaw affects a wide range of deployments, from Microsoft 365 Apps to perpetual Office 2016, Mac versions, and even Office Online Server.

The Core Issue: Memory Safety Breaks When Excel Opens a Crafted File

The bug stems from a use-after-free condition (CWE-416) in how Excel processes workbooks. Microsoft’s advisory states that an unauthorized attacker can execute code locally by exploiting this memory-safety error. The result is arbitrary code execution in the security context of the logged-in user.

Crucially, the vulnerability is not network-facing. An attacker cannot send a specially crafted packet to Excel from across the internet. Instead, the exploit is delivered through a file—typically a workbook sent via email, shared through a cloud link, or dropped on a website. Once the file exists on the target system, the victim must open or interact with it in some way for the flaw to fire. This is why the CVSS vector is AV:L (Local) despite Microsoft labeling it a remote code execution (RCE) vulnerability.

What It Means for You

The impact is stark: complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). Code running under the victim’s identity can read sensitive documents, modify files, install malware, and pivot to network resources. Because the attack requires no prior privileges (PR:N), an attacker doesn’t need a foothold on your machine—just the ability to get you to open a booby-trapped file.

For home users, the risk arrives through phishing emails, untrusted downloads, or even shared files from compromised accounts you trust. For businesses, the danger multiplies through collaboration tools like Teams, SharePoint, and OneDrive, where workspaces may automatically sync malicious content. Administrators should note that while standard user accounts limit the lateral damage, the attacker can still exfiltrate or encrypt all data accessible to that user.

Why ‘Remote’ and ‘Local’ Are Both Correct

Microsoft’s use of “Remote Code Execution” often confuses people, especially when the CVSS vector says AV:L. The company explains that “Remote” describes the attacker’s location—they are somewhere else, delivering the payload—while the attack itself is carried out locally. The file must be processed by Excel on the victim’s own computer. This is a well-worn pattern for document-based exploits: the attacker is remote in delivery but local in exploitation.

The CVSS specification itself supports this. FIRST, the organization behind CVSS, clarifies that a vulnerability is scored AV:L when exploitation requires local read, write, or execution capabilities, including scenarios where the attacker uses social engineering to convince a user to open a malicious document. So the workbook arrives remotely, but the parser executes locally. Industry also sometimes calls this Arbitrary Code Execution (ACE) to avoid the confusion, but Microsoft’s taxonomy keeps the RCE label for many such flaws.

How We Got Here

Office document vulnerabilities have a long history. Use-after-free bugs in complex parsers like Excel’s are particularly dangerous because they allow code execution after memory is freed but not cleared. CVE-2026-55948 follows a line of similar issues patched over the years. The widespread nature of this update—covering seven product lines across Windows, Mac, and server—suggests the vulnerable code may be in a shared component.

Microsoft published the CVE with a full set of remediations on July 14, which lines up with its predictable security update schedule. As of that date, the National Vulnerability Database had not enriched the entry, and CISA reported no known exploitation. But that can change overnight. Attackers regularly reverse-engineer patches to craft exploits within days or weeks.

Your Action Plan: Patching and Hardening

Update immediately. Microsoft has released fixes for all affected editions. Here are the minimum build numbers you need:

  • Excel 2016: Version 16.0.5561.1001 or later
  • Office for Mac: Version 16.111.26071215 or later
  • Office Online Server: Version 16.0.10417.20175 or later

For Microsoft 365 Apps (both Enterprise and consumer), the update rolls out via the office’s own update mechanism, not Windows Update. The delivered build will depend on your servicing channel (Current, Monthly Enterprise, Semi-Annual, etc.). Microsoft has released security fixes for all supported channels. Verify you are on a build dated July 14 or later.

Don’t overlook Office Online Server. Many organizations forget this component because it doesn’t follow the same Click-to-Run path. Check the installed version manually and apply the appropriate update package from Microsoft’s download center.

Layered defenses help, but they are not a substitute for patching. While you await deployment, or for added resilience, consider these measures:

  • Enable Protected View in Office to open files from potentially unsafe locations in a sandbox.
  • Configure Attack Surface Reduction rules via Microsoft Defender to block Office applications from creating child processes or launching executable content.
  • Ensure email filtering and endpoint detection are tuned to flag macro-enabled and unusual Excel files.
  • Remind users to avoid opening workbooks from unknown sources and to rely on viewing features rather than blindly enabling content.

Administrators in larger environments should scan for devices that haven’t updated, especially virtual desktops, disconnected machines, and systems assigned to deferred update rings. Office 2016 and 2019 MSI-based installs may need a separate deployment package.

The Outlook

No public exploit code exists yet, but history says that window won’t last. Organizations that applied the patch within the first 24 hours are well protected. For everyone else, the race is on. The real-world damage from similar Excel bugs—data theft, ransomware deployment, lateral movement—makes CVE-2026-55948 a priority, not an optional update.